## this file for Simulating the hacking action. SUPPORT for DEMO SCENARION 4 :Using  EDA + webhook to auto create firewall rules  when detecting some “hacking” behavior
## path: /root/./hacking-monitor-2.sh

#!/bin/bash

LOG_FILE="/var/log/secure"
TMP_LOG="/tmp/secure_tail.log"
WEBHOOK_URL="http://10.71.18.47:5000/endpoint"

while true; do
  tail -n 30 "$LOG_FILE" > "$TMP_LOG"

  grep "Failed password for root from" "$TMP_LOG" | awk '{for(i=1;i<=NF;i++) if ($i ~ /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/) print $i}' | \
    sort | uniq -c | while read -r count ip; do
    if [ "$count" -ge 6 ]; then
      # logger "Warning! Hacking Detected from $ip"
      logger "Warning! Hacking Detected from $ip"
      curl -H 'Content-Type: application/json' \
           -d "{\"message\": \"Warning! Hacking Detected!\"}" \
           "$WEBHOOK_URL"
    fi
  done
  sleep 30
done
